Les protocoles SPF, DKIM et DMARC permettent d'endiguer les attaques d'usurpation et de phishing. Pourtant, de nombreuses entreprises ne disposent pas de ces entrées. Comme l'analyse de sécurité informatique de LocateRisk vérifie entre autres l'existence et la configuration de SPF et DMARC, nous allons maintenant faire la lumière sur ces notions abstraites.
FACT: 90% of Cyber attacks originate from emails.
Phishing Phishing is a staple word in the Cyber security World especially in email security, so let's begin here. In this social engineering method hackers use a fake trusted identity to send emails to the victim posing to be a sender from a domain known to the victim. The result of this could be access to credit card numbers, passwords and other private information.
SPF, DKIM and DMARC They are a set of email authentication protocols used to prove to ISPs and email servers that the sender is indeed authorised to send email from a specific domain. These protocols prevent phishing attacks by proving that the sender is actually who they claim to be. Using these to verify your account will make you a trustworthy sender to the servers on the receiving end. The acronyms stand for:
SPF: Sender Policy Framework DKIM: Domain Keys Identified Mail DMARC: Domain-based Message Authentication Reporting and Conformance
What is SPF? SPF Authentication specifies which servers are allowed to send email on behalf of your domain. The server on the receiving end of an email will receive the list (SPF-Record) of servers allowed to send email through your Domain Name. If the sending server is not listed on the SPF record of that Domain, the email will fail the authentication test and could either be quarantined or rejected
An SPF record is created by setting a txt record in the domain DNS that is published by your domain administrator. Below is an example of an SPF record. v=spf1 ip4:22.214.171.124 ip4:126.96.36.199 include:spf.mailjet.com include:_spf.google.com ~all
How to create an SPF record
Step 1 set a txt record. An SPF record begins with a statement of the version used v=spf1 in the txt record
Step 2 Then come the IP addresses of all the mail servers that may use your domain to send mail. These can be listed as a range of IP addresses or single IP addresses all starting with the IP version ip4: or ip6: .
Step 3 Third party providers allowed to use your domain are listed with include: In our example above, mailjet.com and google.com are third party mail servers allowed to send mail through that domain.
Step 4 Once all your servers have been added, you can either end your SPF record with ~all (softfail) or -all (hardfail) and save.
Softfail means emails from unauthorised servers (servers not on the SPF record) should still be allowed through, but marked as spam or suspicious. Hardfail on the other hand dictates that the unauthorised email be discarded.
Once created, the SPF record can then be published by your domain administrator. Note that it may take 24 hours or more for the changes to take effect.
What is DKIM?
DKIM is responsible for the Integrity of the email. It ensures that the content of a sent email is not altered as it moves from server to server across the internet to the designated recipient. By using a Hash-algorithm on the email content, a string of numbers called the hash value is created. Changing even as much as a comma in the content will lead to a complete change in the hashvalue. In order to verify the Integrity of the email, the receiving mail server calculates its own hash value and compares it with the received hashvalue. If they are not the same, then the message cannot be trusted.
Similar to SPF, DKIM also sets a txt record in the domain to create a DKIM record, but a public and private key have to be created(Asymmetric encryption).
A DKIM record could look like this: v=DKIM1\;k=rsa\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC3QEKyU1fSma0axspqYK5iAj+54lsAg4qRRCnpKK68hawSd8zpsDz77ntGCR0X2mHVvkf0WEOIqaspaG/A5IGxieiWer+wBX8lW2tE4NHTE0PLhHqL0uD2sif2pKoPR3Wr6n/rbiihGYCIzvuY4/U5GigNUGls/QUbCPRyzho30wIDAQAB
It consists of the DKIM version v=DKIM1, the encryption Algorithm used k=rsa k=rsa and the public keyp=.. The private key is used to encrypt the hashed email and never leaves the sending server. The public key is published in the DKIM record of the domain and is included in the header of the email. When the receiving server receives the email, it does the following:
Compares the public key given in the DKIM record to the public key given in the header. If they are identical, the Authentication test is passed, and the email is sent to the recipient. If not, the email is either discarded or placed in quarantine, depending on the instructions in the DMARC record.
Calculates its own hash value from the content with the same hash algorithm used.
Then it compares the received hash value with the calculated hash value. If they are identical, then the email passed the integrity test. The recipient can be sure that the contents of the email have not been altered.
How to create a DKIM record
Step 1 Create a new txt record in the DNS settings for your domain. You will receive the domainkey from your e-mail provider. For example: newsletter2022._domainkey.yourdomainname.com Enter the name in the corresponding field.
Step 2 Generate a DKIM keypair via your e-mail provider and copy the public key, for example k=rsa; p=NIIVAIMAhgzifoH4ZFZPEQIR (Public key)in the txt record created on your domain
Step 3 After saving, check whether the digital signature works by sending an e-mail to an address at Gmail or Outlook.com, for example. There you can see the raw content of the message. There should be a dkim=pass in the header. for Gmail click on the three dots on the top right corner of the message, then choose show original.
What is DMARC?
DMARC works in email Authentication by matching the validity of SPF and DKIM records. With the DMARC record, the receiving server gets a set of instructions or policies set by the domain owner. The instructions tell the receiving server what to do with an email that does not pass the authentication test; quarantine or discard. DMARC also shows which protocols SPF, DKIM or both have been implemented and generates a report for the sender, so they can fight spoofing on their end.
How to create a DMARC record
To set up a DMARC record (which is also a txt record on the domain DNS) either DKIM, SPF or both must be active. A typical DMARC record looks like this: v=DMARC1; p=reject; rua=mailto:email@example.com
v – indicates the version of DMARC protocol being used. p – gives the policy to follow for unauthorised emails: None – do nothing, lets the mail through Quarantine – place mail in spam folder Reject – Discard mail rua – tells where to send the report for emails that do not pass the authentication test
Step 1 Set a txt record in the DNS settings of your domain
Step 2 Copy the host/name and value/destination provided by your email provider and paste them into the appropriate fields.
Step 3 Test your settings as already described under DKIM (Step 3) by sending an e-mail to a Gmail or Outlook address. Ideally, the header of the sent e-mail will look like this.
SPF, DKIM and DMARC serve email security and should be activated as part of your security concept. As part of a LocateRisk analysis, the category "DNS" is checked to see whether SPF and DKIM records are present and your mail server is well protected. If you are not sure whether your organisation uses SPF and DMARC, you should definitely check. We are always amazed at how many organisations put their security at risk by not setting these records.
Learn more, book a demo, or just have a quick chat? Alex is happy to help!
Your personal consultant AlexanderFeldmann Consulting
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.